DATA PROCESSING TERMS

1. INTRODUCTION AND SCOPE

1.1 The Data Processing Terms set forth the general terms and conditions for the Supplier’s processing of the Customer’s Personal Data, as agreed and required under Applicable Law, when supplying the Services under the Agreement. The Data Processing Terms supplement the Terms of Service and constitute part of the Agreement. The definitions not specified in the Data Processing Terms shall have the same meaning as specified in the Terms of Service.

1.2 Any deviation, clarification or supplement to the Data Processing Terms shall be agreed in a separate agreement in order to be valid. In case of any conflicting terms, the Data Processing Terms shall always take precedence in respect of processing of the Customer’s Personal Data.

1.3 The Data Processing Terms, as valid from time to time, will be sent to the Customer from the Processor in connection with the signing of the Agreement.

1.4 The Data Processing Terms consist of these general terms and conditions, and the Instructions.

2. LAWFUL PROCESSING

2.1 The Processor shall, in its capacity as processor, be liable for (i) complying with all legal obligations on processors under Applicable Law, including but not limited to by ensuring that it (i) only processes the Personal Data in connection with its supply of the Services according to the Agreement, and (ii) only processes the Personal Data in accordance with the Data Processing Terms and in accordance with the Controller’s Instructions (and noting that any other processing, including by the Processor for its own purposes, is prohibited, except for any possible obligation to process Personal Data which follows from Applicable Law, in which case the Controller shall be informed hereof, where so permitted under Applicable Law).

2.2 The Controller shall, in its capacity as controller, be liable for complying with all legal obligations on controllers under Applicable Law, including but not limited to by ensuring that (i) it has provided all required information to the Data Subjects, (ii) all necessary consents from Data Subjects have been procured, or that other valid legal ground for the processing of the Personal Data exists, and (iii) in all other aspects that it has the full legal rights to process the Personal Data and instruct the Processor to process the Personal Data on behalf of the Controller as set out in the Data Processing Terms.

2.3 To the extent the supply of Services under the Agreement involves processing of Personal Data not only of the Controller, but also of its Customer Affiliates (or where relevant, any agreed and identified third-party), the Controller represents and warrants that (i) it has the full legal rights to represent such Customer Affiliates (and/or agreed and identified third-party), and (ii) when the Data Processing Terms refer to rights and obligations of the Controller, the Controller shall duly assume and fulfil such rights and obligations as an authorized representative of the respective Customer Affiliate etc. (implying, but not limited to, that the Processor will fulfil its obligations as a processor under Applicable Law against such Customer Affiliates by performing its obligations hereunder against the Controller).

3. THE CONTROLLER’S INSTRUCTIONS

3.1 The Controller shall provide the Processor with the Instructions in relation to the Processor’s processing of Personal Data, as required under Applicable Law and with the corresponding obligation on the Processor to process the Personal Data in accordance with said Instructions.

3.2 The Instructions are general for all customers of the Processor, and any specific additional instructions, or deviations from the general instructions, as instructed by the Controller, shall be set out in a separate agreement (and Instructions as used herein shall refer to the general instructions in the Schedule, as amended or supplemented by the specific additional instructions, or deviations from the general instructions, as set out in the separate agreement).

3.3 The Controller confirms that the Instructions contain the Controller’s complete and documented instructions to the Processor. The Controller further undertakes not to provide the Processor with Personal Data, or request processing thereof, which violates the Instructions. The Controller is liable for ensuring that all instructions are compliant with Applicable Law, and for ensuring that the Processor’s processing of the Personal Data in accordance with the Controller’s Instructions does not violate Applicable Law.

3.4 The Instructions shall be kept updated during the term of the Agreement in case of any agreement by the Parties to amend the Instructions. In case the Controller desires to amend the Instructions during the term of this Agreement, the Processor will not oppose such amendment of the Instructions without reason, provided that the change is technically feasible and, where the change affects the supply of Services or otherwise causes additional costs for the Processor, that the Parties agree on compensation for such additional costs.

3.5 In case the Processor (i) lacks Instructions, (ii) considers that new or supplementary Instructions are necessary in order for the Processor to perform its obligations according to the Data Processing Terms, and/or the Agreement and/or Applicable Law, or (iii) considers that the existing Instructions, according to the Processor’s assessment, violates Applicable Law (without limiting the Controller’s liability according to Section 3.3), the Processor shall inform the Controller hereof without delay and await further instructions before continuing with the processing of the Personal Data.

4. TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

4.1 The Processor shall maintain such technical and organizational security measures as are required under Applicable Law (in particular Article 32 of the GDPR) for its processing of Personal Data in order to safeguard the protection of the rights of the Data Subjects.

4.2 The Processor shall protect the Personal Data, when stored or otherwise processed by the Processor, from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data.

4.3 The Controller confirms that the technical and organization security measures, are suitable for the Controller’s requirements, in consideration inter alia of the character of the Personal Data and the general risks identified by the Controller in relation to processing hereof.

4.4 For clarity, the Processor shall not be liable for the Controller’s own processing of Personal Data when using the Services, including the Controller’s access control measures in relation to Hub Planner Service, or any measure taken by any User, or any other circumstance attributable to the Controller.

5. SUB-PROCESSORS

5.1 The Controller hereby provides a general authorization for use by the Processor of Sub-Processors in connection with the supply of Hub Planner Service, including Support and Maintenance. Currently engaged Sub-Processors are set out in the Instructions and shall be deemed to be accepted by the Controller. The Processor shall inform the Controller in writing (including by electronic communication) of planned substantial changes, such as engagement of new, or replacement of, Sub-Processors. The Controller may object to such changes in writing within seven (7) days from the receipt of the communication of such change. Where the Controller does not object to the change within the said time period, the change shall be deemed to be approved.

5.2 The Processor shall provide the Controller with information on any suggested or approved Sub-Processor, including details of the company, place of processing (country) and nature of processing.

5.3 The Processor shall, in its own name but as a representative of the Controller’s interests, enter into a data processing agreement with the Sub-Processor, that imposes on the Sub-Processor obligations which correspond to those of the Processor under the Data Processing Terms (a “Sub-Processing Agreement”).

5.4 The Processor shall take all necessary actions where the Processor has reason to believe that the Sub-Processor processes Personal Data in violation of the Sub-Processing Agreement.

5.5 The Processor is liable against the Controller, as for its own actions and omissions, in relation to the Sub-Processor’s processing of Personal Data under the Sub-Processing Agreement.

6. TRANSFERS OF PERSONAL DATA TO A THIRD COUNTRY

The Processor may transfer Personal Data outside the EU/EEA. If the Processor transfers Personal Data outside the EU/EEA, or engages a Sub-Processor to process Personal Data outside of the EU/EEA, the Processor shall ensure that at least one of the following prerequisites is fulfilled:

(i) the receiving country has an adequate level of protection of Personal Data as decided by the European Commission,

(ii) Controller confirms that the Data Subject has given his/her consent to the transfer,

(iii) the transfer is subject to the European Commission’s standard contractual clauses for transfer of Personal Data to third countries, or

(iv) the Processor is subject to Binding Corporate Rules and the receiving party in the third country is also subject to the Binding Corporate Rules.

7. ASSISTANCE, COOPERATION AND INFORMATION

7.1 Subject to the terms of this Section 7, the Processor shall assist the Controller in ensuring compliance with the obligations of Articles 32-36 of the GDPR, taking into account the nature of the processing and the information available to the Processor.

7.2 Hub Planner Service as provided by the Processor under the Agreement contains the necessary functionality to enable the Controller to fulfill its obligations in relation to Personal Data, such as responding to requests by Data Subjects for exercise of rights, and rectifying, erasing or restricting processing of Personal Data in accordance with Applicable Law. In case the Controller nevertheless needs assistance from the Processor in addition hereto, the Processor shall upon request provide such assistance in accordance with Section 7.4 below.

7.3 The Processor undertakes to inform the Controller in writing (including by electronic communication) of any personal data breach (in relation to the Processor’s processing of Personal Data under this Agreement) without undue delay from becoming aware of the personal data breach. The information shall include all information of which the Processor is aware, and which is required under Applicable Law in order to enable the Controller to fulfill its reporting-/information obligations in relation to Supervisory Authorities and/or Data Subjects.

7.4 Where so requested by the Controller, the Processor may provide assistance to the Controller in relation to fulfillment of the Controller’s obligations under Applicable Law in relation to Personal Data, such as data protection impact assessments and prior consultation with Supervisory Authorities. Such assistance will be agreed on a case-by-case basis and be provided as separate service at the Controller’s cost.

7.5 In case a Data Subject, Supervisory Authority or another third-party requests information from the Processor in relation to processing of the Personal Data, the Processor shall immediately refer such request to the Controller and await further instructions.

7.6 The Processor shall inform the Controller without delay of any contacts with Data Subjects, Supervisory Authorities or other third parties in relation to processing of the Personal Data. The Processor is not entitled to represent the Controller or otherwise act on behalf of the Controller in relation to Data Subjects, Supervisory Authorities or other third parties.

7.7 The Processor undertakes to cooperate to a necessary extent in case of any audits or inspections by a Supervisory Authority in relation to processing of the Personal Data by the Processor, and to comply with any decisions taken by the Supervisory Authority on measures to fulfill security requirements or other requirements under Applicable Law in relation to processing of the Personal Data.

8. AUDIT RIGHTS

8.1 The Controller, or a third-party (external auditor) appointed by the Controller, has the right to audit the processing of Personal Data by the Processor, to the extent necessary to safeguard that the Processor, and any Sub-Processors, fulfill their obligations under the Data Processing Terms and Applicable Law. Such an audit may only relate to processing of the Controller’s Personal Data.

8.2 The Controller shall provide reasonable written notice before undertaking any audit (normally at least thirty (30) Business Days prior notice) and limit the audit to what is strictly necessary for the purposes of the audit. The Controller may not conduct audits more often than once a year, unless there are special circumstances which require more frequent audits. The Controller will bear all costs for the audit.

8.3 The Processor undertakes to provide the necessary information and/or assistance in connection with an audit according to this Section 8, to demonstrate compliance with the Data Processing Terms and Applicable Law.

8.4 A prerequisite for an audit according to this Section 8 is that the Controller, or the third-party (external auditor) appointed by the Controller, has entered into necessary confidentiality undertakings and complies with the security regulations of the Processor on the site where the inspection will take place, and that the inspection is made without risking obstructing the Processor’s business or the protection for other customers’ information. Information which is collected in connection with the audit shall be erased after performance of the audit or where no longer required for the purposes of the audit.

8.5 The Controller acknowledges that the Processor may supply relevant information on the processing of Personal Data by the Processor, by way of a third-party audit report from a competent third-party which has performed a general audit of the Processor’s processing of Personal Data. In case the Processor provides such audit report, the Controller may rely on such audit report as an alternative to performing its own audit.

9. CONFIDENTIALITY

9.1 The Processor shall keep confidential and not disclose Personal Data or other information in relation to the processing of Personal Data to any third-party without express instruction or approval from the Controller. The Agreement’s regulations on confidentiality shall apply in all other aspects.

9.2 The Processor shall ensure that its employees, engaged consultants and other persons processing Personal Data under the Agreement are bound by confidentiality undertakings.

9.3 The confidentiality obligations according to this Section 9 do not apply (i) in relation to approved Sub-Processors, provided that the Sub-Processing Agreement contains corresponding confidentiality obligations for the Sub-Processor, or (ii) if the Processor is obliged to disclose Personal Data or other information in relation to the processing of Personal Data on the request of a Supervisory Authority, or where such obligations otherwise follows from Applicable Law, or from a decision by a court or public authority or is necessary for protecting the Processor’s interests in case of a legal dispute.

10. LIABILITY

10.1 A Party who has paid compensation for damage to Data Subjects or other third parties, in accordance with a final judgment or approved settlement, for breach of Applicable Law and/or the Data Processing Terms, shall have the right to claim back from the other Party all or part of that compensation, subject to the following conditions;

(a) The other Party shall be liable for a reasonable part of the compensation (including reasonable attorneys’ fees and other litigation costs incurred by the first Party), which corresponds to the other Party’s responsibility for the damage caused to the Data Subject or other third-party, due to the other Party’s breach of Applicable Law and/or the Data Processing Terms;

(b) The Processor shall not be liable for payable of compensation according to the foregoing to the extent the breach of Applicable Law and/of the Data Processing Terms has been caused by the Processor processing the Personal Data in accordance with the Controller’s Instructions;

(c) The Party claiming compensation from the other Party, shall inform the other Party in writing of the Data Subject’s or other third-party’s claim without delay, and cooperate with the other Party in defending the claim as reasonable under the circumstances;

(d) The Party claiming compensation from the other Party, shall present its final claim for compensation against the other Party under this Section 10.1, at the latest six (6) months after it has been finally established (by final judgment or approved settlement), that the Party is liable for paying compensation to a Data Subject or other third-party, however in any event at the latest six (6) months after effective termination of the Agreement; and

(e) Each Party’s liability under this Section 10.1 shall be subject to the limitations of liability set out in the Agreement.

10.2 Each Party is liable for any administrative fines imposed on the Party by a Supervisory Authority due to the Party’s breach of Applicable Law (under Art 83 GDPR or other Appliable Law). Such administrative fines are not subject to allocation of liability between the Parties under the Data Processing Terms.

11. TERM AND DISCONTINUATION OF PROCESSING OF PERSONAL DATA

11.1 The Data Processing Terms are a part of the Agreement and shall apply during the whole time period that the Processor processes Personal Data under the Agreement.

11.2 The Processor shall discontinue all processing of Personal Data, upon the expiry or termination of the Agreement, or if so instructed earlier by the Controller.

11.3 Upon the termination of the Processor’s processing of Personal Data, irrespective of cause, the Processor shall, in accordance with the Controller’s written instructions, either (i) transfer all Personal Data to the Controller (or a third-party supplier designated by the Controller) in the Processor’s standard format and by supply of a backup of the Personal Data, and if the Parties so agree, also supply agreed separate service in connection with such transfer of the Personal Data; or (ii) permanently delete the Personal Data and erase all copies thereof. In connection with the transfer or deletion, as applicable, the Processor shall safeguard that the Personal Data cannot be recreated. Deletion of the Personal Data will in any event take place at the latest ninety (90) days after effective termination of the Agreement.

12. COSTS

12.1 The Processor is only entitled to compensation for costs in the situations referred to in Section 12.2. Compensation is, in such a situation, payable (i) for separate service, in accordance with the fee rates set forth in the Agreement or fee agreed by the Parties, and (ii) for other costs, for reasonable and proven actual costs.

12.2 The Processor is entitled to compensation:

(a) Where the Processor provide assistance on a separate service, in relation to e.g. a request for assistance on data protection impact assessments or prior consultation with a Supervisory Authority, or in relation to an audit;

(b) Where the Controller changes the Instructions in a way, which causes additional costs for the Processor;

(c) Where the Controller has requirements in relation to technical and organizational security measures, which go beyond what is normally applied by the Processor for its customers (and which are in compliance with Applicable Law), and the fulfillment of such security requirements causes additional costs for the Processor; or

(d) Where, in connection with termination of the Agreement, the Controller desires to receive the Personal Data in another format than the Processor’s standard format, or requests separate service from the Processor in relation to return of Personal Data.

13. AMENDMENTS

13.1 All amendments and supplements to the Data Processing Terms, including the Instructions, shall, unless otherwise set forth, be made in writing and be signed by authorized representatives of each Party in order to be valid.

13.2 In the event that Applicable Law requires changes to the Data Processing Terms, the Parties shall agree on such changes in good faith.

14. DEFINITIONS

In the Data Processing Terms, the following defined words and phrases shall have the meanings set out below. Other defined words and phrases shall have the meanings set out in Applicable Law.

Agreement” means the agreement between the Supplier (Processor) and the Customer (Controller) (or if relevant, between the Customer and a reseller or partner of the Supplier), for supply of the Services, and which includes the Data Processing Terms.

Applicable Law” means all laws, statutes and regulations in force from time to time as applicable to the Parties, and in particular for the purposes of the Data Processing Terms, (i) Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”), or legislation replacing such legislation, (ii) and other applicable legislation in relation to protection and processing of personal data, including the Swedish Act (2018:218) with supplementary provisions to the EU Data Protection Regulation; and including for each of (i) and (ii) above applicable regulations and guidelines, including guidelines from a competent Supervisory Authority.

Controller” means the Customer. In case the Customer instructs the Supplier to process Personal Data of Customer Affiliates, the Customer acts as their representative and is referred to as the Controller also in relation to such Customer Affiliate in the Data Processing Terms notwithstanding that the actual controller may be a Customer Affiliate.

Data Subject” means an identified or identifiable natural persons, whose personal data is included in the Personal Data.

Instructions” means the Controller’s instructions for processing of the Personal Data, as further defined in Section 3.2 hereof.

Personal Data” means the personal data (as defined in Applicable Law) of the Customer (or its Customer Affiliates), which is transferred to, stored by and otherwise processed by the Supplier when supplying Services under the Agreement.

Processor” means the Supplier.

Standard Contractual Clauses” means the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (or any successor legislation, or other applicable standard contractual clauses under Applicable Law).

Sub-Processing Agreement” means a written data processing agreement between the Processor and a Sub-Processor, as referred to in Section 5.3 hereof.

Sub-Processor” means a third party (including for clarity also Supplier Affiliates), which is engaged by the Processor for the purposes of processing Personal Data on behalf of the Controller.

Supervisory Authority” means a national or EU public authority, which is responsible for the monitoring of processing of personal data according to Applicable Law (in Sweden: The Swedish Authority for Privacy Protection (IMY)).

Third Country” means a country outside the European Economic Area (i.e. the European Union and the EFTA member states).

User” means named users of Hub Planner Service (employed or engaged by the Customer and/or a Customer Affiliate as permitted herein), who are registered as named users and who have received unique, named user identities and passwords. For clarity, for the purposes of the Volume Limitations, actual Use does not have to be demonstrated in order for a person to count as a User, as already the setting up of access rights by the Customer for any User to Hub Planner Service will count as Use.

SCHEDULE: INSTRUCTIONS

This Schedule sets out general Instructions that are general for all customers of the Supplier, and any specific additional instructions, or deviations from the general instructions, as instructed by the Controller, shall be set out in the Order Form.

Nature and purpose of the processing of Personal Data

The processing of the Personal Data is made for the purpose of supplying the Hub Planner Service and any related separate service, which includes the measures set forth in the Agreement, and typically includes the following measures:

  • Storage in the Processor’s or its Sub-Processor’s data centre
  • System operation
  • Security surveillance and back-up copying
  • Access in connection with separate service
  • Network communication including transmission of data to and from the Controller
  • Installation of Updates
  • Access in connection with corrective measures (operational-, technical- and application support)

Types of Personal Data

The following categories of Personal Data may be included in the processing:

The Controller decides itself, when using the Hub Planner Service, what types of Personal Data shall be stored and otherwise processed therein. Data fields for registration of Personal Data are configured by the Processor based on the Controller’s requests, in connection with setup and implementation of the Hub Planner Service or separately ordered separate service.
The Processor may process the following categories of Personal Data on behalf of the Controller:

  • Name
  • Address
  • Telephone number
  • E-mail address
  • Data Subject category

Special categories of Personal Data (also referred to as sensitive Personal Data, Art 9 GDPR)
As set forth above, the Controller decides itself, when using the Hub Planner Service, what categories of Personal Data shall be stored and otherwise processed therein, including any sensitive Personal Data. Any processing of sensitive Personal Data hereunder, shall be specifically set out in the deviation schedule in the Order Form. For clarity, the Controller is always liable for ensuring (whether the Personal Data shall be classified as sensitive or not), that the Controller has the full legal right to process them and to request the Processor to process them in accordance with the Agreement.

Categories of Data Subjects
As set forth above, the Controller decides itself, when using the Hub Planner Service, what Personal Data shall be stored and otherwise processed therein, including what categories of Personal Data and Data Subjects, and decides how data fields shall be configured.

Data fields which typically are included in relation to categories of Data Subjects include:

  • Employees
  • Suppliers
  • Projects
  • Vacation Time
  • Skills
  • Time off
  • Availability
  • Schedule
  • Timesheets

Location of processing of Personal Data

The Personal Data shall, unless otherwise agreed, be processed by the Processor (and its Sub-Processor(s) in Frankfurt, Germany, or another EU location.

Duration of processing of Personal Data

The Personal Data shall be processed by the Processor for the above stated purposes during the term of the Agreement, or until the Controller instructs the Processor to cease with the processing. The Data Processing Terms set out the measures to be undertaken upon the discontinuation of processing of the Personal Data.

Approved Sub-Processors

Amazon Web Services, Inc. (located in Frankfurt, Germany; providing services in relation to Cloud Hosting Services).

Hub Spot. (located in Ireland; providing services in relation to CRM).

Sentry. (located in Europe; providing services in relation to error checking and logging)

apilayer GmbH. (located in Europe; Validating EU VAT numbers at point of sale and validation of email addresses for spam.)

Google Inc. (mail, file storage)

BrainTree / PayPal (Payment Card Services)

Younium (located in Sweden, Invoicing)

Zoho (located in Europe, Invoicing)